Some HTML editors already set this while it creates a page, but those of you who have older HTML editors or like me, like to code page from scratch will need to include following line in our HTML pages: < META http-equiv="Content-Type" content="text/html; charset=IS0-8859-1"> It should go as high as possible on your webpage, I normally place it just after < /head> tag, before < title> tag. This META tag tells browser to use "ISO-8859-1" character set, which is suitable for most Western European languages, rather than let browser choose it's own character encoding, which may or may not be ISO-8859-1.

Why is it important to explicitly set it? The character encoding basically tells browsers how to display a particular character. For example, in ISO-8859-1character set, "A" represents letter "A" while "©" represents copyright symbol "©" (You can try this out by typing < p>A< /p> or < p>©< /p> in a html file then call it up on a browser). Some character sets, have more than one representation for special characters such as "<" or ">", so your filter program may not toss out all representations of character you have asked it to exclude. So when it serves a new page back to browser, browser, because it has not been told what encoding to use, can still read malicious script intact.

So there you have it, 3 steps that should be incorporated into every website. Use them as a base to further build on. Because every site is different, you (or security consultant you hire) will need to assess your site's own vulnerabilities and implement appropriate security measures. To do this you need to take into account your site's risk factor, your budget and your available resources.

On a final note, I'd like to stress importance of keeping up with latest threats and developments in site security. A good site for checking out security alerts is CERT Coordination Center http://www.cert.org/nav/index.html or better yet sign up for their Security Advisory that is sent via email.

The Apache web server provides a feature called .htaccess, which provides commands to control a web site. This file is very obscure and extremely useful when used properly. You have to be careful when editing .htaccess files, as a small mistake can make your web site stop working. What I like to do is immediately test site to be sure it works.

Be sure not to make mistake that I made once - I browsed to my site, saw that home page came up, and went to work. Later, I found it was not working but appeared to work because home page was stored in my browser cache. Thus I learned a simple lesson hard way: always hit refresh key of browser when testing .htaccess changes.

I did a little research and testing, and added following lines to my .htaccess file.

redirect /scripts http://www.stoptheviruscold.invalid redirect /MSADC http://www.stoptheviruscold.invalid redirect /c http://www.stoptheviruscold.invalid redirect /d http://www.stoptheviruscold.invalid redirect /_mem_bin http://stoptheviruscold.invalid redirect /msadc http://stoptheviruscold.invalid RedirectMatch (.*)cmd.exe$ http://stoptheviruscold.invalid$1

These lines did exactly what I wanted them to do - they stopped virus from creating 404 errors in my log file, and they prevented my 404 error page from being triggered, thus creating lots of useless bandwidth utilization. There is still some bandwidth used, obviously, but it is far less than it would have been. The load on server is also considerably reduced, which should make my web hosting company happy.

Note that log file entries are still made by various worms as they attempt to penetrate server. These entries do now show as errors, which makes it easier to pick out real errors from logs.